MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ValleyRAT

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 12 File information Comments

SHA256 hash:	f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952
SHA3-384 hash:	b6d79dea6553ee4b292786e2e61e79f5d5f4c07fe663c0c41239f32afa6bc0b32bdd1ef600ff41e759a45c5194a831f4
SHA1 hash:	a6beb5584099b4e663af9715e6bbad52b438f580
MD5 hash:	903d616cdccaeff27ff10ae3aa3356f6
humanhash:	friend-connecticut-papa-papa
File name:	903D616CDCCAEFF27FF10AE3AA3356F6.exe
Download:	download sample
Signature	ValleyRAT Create hunting rule
File size:	4'091'940 bytes
First seen:	2025-12-27 01:20:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac4ded70f85ef621e5f8917b250855be (82 x OffLoader, 7 x Gh0stRAT, 6 x Tofsee)
ssdeep	98304:yN66sb0l/GUh/gwnBRBh480IBC94S3LLF6:asb0pjB9h01N756
TLSH	T18A160273B286673DE42A06370DB6A169493B7E94642A8C42A6E43C9CCF7D4701D3FB53
TrID	62.3% (.EXE) Inno Setup installer (107240/4/30) 24.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 6.1% (.EXE) Win64 Executable (generic) (10522/11/4) 2.6% (.EXE) Win32 Executable (generic) (4504/4/1) 1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	74e0c4e4dcdcd4d0 (1 x ValleyRAT)
Reporter	abuse_ch
Tags:	exe RAT ValleyRAT

abuse_ch

ValleyRAT C2:
206.238.144.183:23051

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
206.238.144.183:23051	https://threatfox.abuse.ch/ioc/1686983/

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/95b2624a-ebd6-4dca-865f-2f50e315be75/

Malware family:

n/a

ID:

File name:

903D616CDCCAEFF27FF10AE3AA3356F6.exe

Verdict:

No threats detected

Analysis date:

2025-12-27 01:23:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fbb4dae6-09ad-41d7-b0d0-77c2e46cf216

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/46203/

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694f346101c7b4a8fe56656f

Tags:

injection dropper virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed tofsee

Link:

https://www.filescan.io/uploads/694f345d3f8fdbf8e9530def/reports/534ccc05-920e-4f93-bcda-a76dac584b4f/overview

Verdict:

Malicious

Labled as:

Backdoor.Script.LodaRat.a

Link:

https://www.hybrid-analysis.com/sample/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-24T01:10:00Z UTC

Last seen:

2025-12-28T08:54:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Mucc.wqu Trojan.Win32.Loader.qxr Trojan.Win32.Mucc.sb HEUR:Backdoor.Win32.Farfli.gen

Link:

https://opentip.kaspersky.com/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/946974ff-0499-4ccb-9388-67be6b5ffc63

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1840192

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/903d616cdccaeff27ff10ae3aa3356f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952/

Verdict:

Malicious

Threat:

Family.VALLEYRAT

Link:

https://tip.neiki.dev/file/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952

Threat name:

Win32.Trojan.Malgent

Status:

Malicious

First seen:

2025-12-25 10:56:00 UTC

File Type:

PE (Exe)

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6vgc43llukf6rdaoqpja4lbg7md2beo2flgsvcss4s37nzqb5fja._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery installer

Link:

https://tria.ge/reports/251227-b1mhzawnfm/

Behaviour

Suspicious use of WriteProcessMemory

Inno Setup is an open-source installation builder for Windows applications.

System Location Discovery: System Language Discovery

Executes dropped EXE

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/331b829a-4d18-4a20-9ed3-fdb34f4bf026

Unpacked files

SH256 hash:

f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952

MD5 hash:

903d616cdccaeff27ff10ae3aa3356f6

SHA1 hash:

a6beb5584099b4e663af9715e6bbad52b438f580

Link:

https://www.unpac.me/results/7d78412f-e0b1-4069-a92b-b0a276525fe6/

SH256 hash:

a45f535cb7992795e6f1401864ad0fa0fe53121d1d437d57b58fd2db9ab9549d

MD5 hash:

68839f6656d6f0fd49be51d9a6860b38

SHA1 hash:

04e22b38706f562a2698cfc6201aa8969de66d78

Link:

https://www.unpac.me/results/7d78412f-e0b1-4069-a92b-b0a276525fe6/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/7d78412f-e0b1-4069-a92b-b0a276525fe6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f54c2e6d6ba28be88c0e83d20e2c26fb07a091da2acd2a8a52e4b7f6e601e952

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackMoon Create hunting rule
Author:	NDA0E
Description:	Detects BlackMoon

Rule name:	blackmoon_payload_v1 Create hunting rule
Author:	RandomMalware

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_BlackMoon Create hunting rule
Author:	ditekSHen
Description:	Detects executables using BlackMoon RunTime

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/46203/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample